Microsoft tweaks IIS patch

Some customers ran into trouble while trying to install MS06-034, which addresses a remote code execution flaw in Internet Information Services (IIS).

Microsoft has tweaked one of the security updates it released last week, after customers reported installation problems.

The issues affected MS06-034, which addressed a remote code execution flaw in Internet Information Services (IIS). Microsoft said in its bulletin that attackers could exploit the vulnerability in its Web server software by constructing a specially crafted Active Server Pages .asp file, potentially allowing remote code execution if the IIS processes the specially crafted file.

Craig Gehre, release manager for the Microsoft Security Response Center, announced the patch fixes in the center's blog on 18 July. He described two minor problems that had to be addressed:

"One issue was that even though you installed the update you could still be getting it reoffered to you via Windows Update, Microsoft Update, Automatic Update, or WSUS (Windows Server Update Services)," he said. "In some cases we were detecting on a file you may not even have on your system."

He said the second issue was that users running Windows Server 2003 SP1 may not have been re-offered the update after a failed install. "If you installed the update while IIS was using the file ASP.dll, the package may appear to install correctly, but it did not," he said.

Both issues have been addressed, but since the second issue might have involved a silent failure, Gehre recommended all Windows 2003 SP1 users rerun detection of the patch on their systems to make sure they are properly updated.

Read more on IT risk management